[Spce-user] Possible Bug? - NGCP Firewall in mr6.5.3

Hohl Matthias matthias.hohl at telematica.at
Tue Apr 2 09:20:47 EDT 2019


The config.yml settings:

 

security:

  firewall:

    enable: yes

    logging:

      days_kept: '7'

      enable: yes

      file: /var/log/firewall.log

      tag: NGCPFW

    nat_rules4: ~

    nat_rules6: ~

    policies:

      forward: DROP

      input: DROP

      output: ACCEPT

    rules4: ~

    rules6: ~

 

BTW: also no /var/log/firewall.log file will be created…

 

 

Von: Spce-user <spce-user-bounces at lists.sipwise.com> Im Auftrag von Hohl Matthias
Gesendet: Dienstag, 2. April 2019 15:18
An: 'spce-user' <spce-user at lists.sipwise.com>
Betreff: [Spce-user] Possible Bug? - NGCP Firewall in mr6.5.3

 

Hello,

 

i configured the new NGCP Firewall in my config.yml file and apply it with ngcpcfg apply and my iptables looks like this:

 

root at spce:~# iptables -L -n -v

Chain INPUT (policy ACCEPT 3139 packets, 517K bytes)

pkts bytes target     prot opt in     out     source               destination

3139  517K f2b-KAMAILIO  all  --  *      *       0.0.0.0/0            0.0.0.0/0

3142  518K f2b-KAMAILIO  all  --  *      *       0.0.0.0/0            0.0.0.0/0

3174  522K rtpengine  all  --  *      *       0.0.0.0/0            0.0.0.0/0

 

 

Now I apply the iptables filter with iptables-apply. Now it looks like this:

 

root at spce:~# iptables -L -n -v

Chain INPUT (policy DROP 1 packets, 40 bytes)

pkts bytes target     prot opt in     out     source               destination

   45 10017 f2b-KAMAILIO  all  --  *      *       0.0.0.0/0            0.0.0.0/0

   49 10197 f2b-KAMAILIO  all  --  *      *       0.0.0.0/0            0.0.0.0/0

   58 31203 rtpengine  udp  --  *      *       0.0.0.0/0            0.0.0.0/0

   53 26575 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

   45  9670 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 0

    3   841 cluster    all  --  *      *       0.0.0.0/0            0.0.0.0/0

    1   761 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060 /* sip_ext */

    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5060 /* sip_ext */

    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5061 /* sip_ext */

    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5222 /* sip_ext */

    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5269 /* sip_ext */

    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp dpts:30000:44999 /* rtp_ext */

    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 /* web_ext */

    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1443 /* web_int */

    0     0 ACCEPT     tcp  --  eth0   *       92.42.136.52         0.0.0.0/0            tcp dpt:22 /* ssh_ext */

    2    80 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 10 LOG flags 0 level 7 prefix "NGCPFW[DROP]: "

 

 

So far so good BUT if I reboot the machine now, the iptables policies are removed and it looks like before I did the “iptables-apply” command.

So I have to “iptables-apply” again, to have my iptables rules installed.

The iptables settings are not reboot resistant.

 

I read the handbook carefully several times, but can’t find a solution for this behavior. Is this a bug?

 

 

SECOND:

It looks like that the iptables-apply just set the rules for my eth0 interface, but not for eth1… How can I enable this rules for eth1 too?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20190402/3dc3bd74/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5585 bytes
Desc: not available
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20190402/3dc3bd74/attachment-0001.p7s>


More information about the Spce-user mailing list